Legitimate e-mail now constitutes a rounding error when compared with spam, thanks to a standing army of more than a million zombie PCs waging war on in-boxes worldwide on any given day.

Some 94% of all e-mail last December was spam, according to Postini's annual communications intelligence report, which the managed e-mail security company released today.

In 2006, the volume of spam rose 147% by Postini's measure. The company attributes the surge in spam to PCs that have been commandeered by cybercriminals without the knowledge of their owners.

In and of itself, this sounds like the same mixture of marketing and reporting that messaging security firms have engaged in for years. And it is that. But that doesn't diminish the real difficulties businesses face in coping with spam.

"There were two fundamental changes in the world of business communications in 2006 that are going to get even bigger in 2007," says Daniel Druker, executive VP of worldwide marketing for Postini. "The major event in communications security is the emergence of botnets. This has changed the game, the dynamics, and economics of the Internet security marketplace. When the bad guys can now harness more than a million computers around the world and use them to push an increasing amount of attacks, that's a major change."

It's not just the rising volume of spam that's a problem, but the size of the spam messages. Because botnets use stolen bandwidth, spammers can send files of any size at no cost. And that's just what they're doing. In order to defeat content filters that might block their messages, spammers are increasingly using images. The result is that unsolicited bulk e-mail is getting bulkier. The 147% increase in spam that Postini observed in 2006 resulted in a 334% increase in e-mail processing requirement for companies. "This is causing the e-mail infrastructure of many businesses to melt down," says Druker. "Nobody budgeted for four-and-a-half times more infrastructure capacity in one year."

Image spam does represent a growing problem, says Howard Schmidt, president and CEO of R&H Security Consulting and former White House cybersecurity czar, noting that in some ways, image spam is easier to filter. "Probably the biggest issue is the use of botnets."

The second major change, says Druker, "is there is a tremendously heightened concern about the regulatory environment and the increased litigation risk related to business communications."

Now that 90% of business communications are electronic, says Druker, "attorneys have figured out this stuff is gold." And thanks to the new Federal Rules for Civil Procedure that went into effect on Dec. 1, businesses now have to comply with legal discovery requests quickly. That's something the majority of companies aren't prepared for, says Druker.

Implicit in Postini's findings is a pitch for managed e-mail services such as those the company provides. And while there may be compelling reasons to turn the dirty job of e-mail cleaning over to an e-mail security company, Schmidt isn't convinced that's the only way to survive the bot assault. "I'm not sure I agree with that whole concept of 'you can't do it, somebody else has got to do it for you,'" he says. "I use a desktop tool which is basically a toolbar and it's been almost two years now since I've had a spam, phishing e-mail, malware, any of that hit my in-box."